No Content-Security-Policy meta tag found error in my phonegap application

Question

After update Cordova 5 0 in my system  I create new applications  When I tested my application on a device that time I get an error in the console log   No Content-Security-Policy meta tag found  Please add one when using the Cordova-plugin-whitelist plugin   23    I add meta in the head section    lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src   self   unsafe-inline   unsafe-eval  gt    But again  I got the same error  in the application I use in-app browser plugin and 7 of other website links

User · Accepted Answer

After adding the cordova-plugin-whitelist, you must tell your application to allow access all the web-page links or specific links, if you want to keep it specific.

You can simply add this to your config.xml, which can be found in your application's root directory:

Recommended in the documentation:

<allow-navigation href="http://example.com/*" />

or:

<allow-navigation href="http://*/*" />

From the plugin's documentation:

Navigation Whitelist

Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only.

Quirks: on Android it also applies to iframes for non-http(s) schemes.

By default, navigations only to file:// URLs, are allowed. To allow other other URLs, you must add tags to your config.xml:

<allow-navigation href="http://example.com/*" />


<allow-navigation href="*://*.example.com/*" />


<allow-navigation href="*" />


<allow-navigation href="http://*/*" />
<allow-navigation href="https://*/*" />
<allow-navigation href="data:*" />

User · Answer

There are errors in your meta tag   Yours    lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src   self   unsafe-inline   unsafe-eval  gt    Corrected    lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src  self   unsafe-inline   unsafe-eval    gt    Note the colon after  script-src   and the end double-quote of the meta tag

User · Answer

For me it was enough to reinstall whitelist plugin      cordova plugin remove cordova-plugin-whitelist   and then  cordova plugin add cordova-plugin-whitelist   It looks like updating from previous versions of Cordova was not succesful

User · Answer

You have to add a CSP meta tag in the head section of your app s index html  As per https   github com apache cordova-plugin-whitelist content-security-policy     Content Security Policy      Controls which network requests  images  XHRs  etc  are allowed to be made  via webview directly        On Android and iOS  the network request whitelist  see above  is not   able to filter all types of requests  e g   lt video gt   amp  WebSockets are   not blocked   So  in addition to the whitelist  you should use a   Content Security Policy    lt meta gt  tag on all of your pages       On Android  support for CSP within the system webview starts with   KitKat  but is available on all versions using Crosswalk WebView        Here are some example CSP declarations for your  html pages    lt  -- Good default declaration        gap  is required only on iOS  when using UIWebView  and is needed for JS- gt native communication       https   ssl gstatic com is required only on Android and is needed for TalkBack to function properly       Disables use of eval   and inline scripts in order to mitigate risk of XSS vulnerabilities  To change this            Enable inline JS  add  unsafe-inline  to default-src           Enable eval    add  unsafe-eval  to default-src -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self  data  gap  https   ssl gstatic com  style-src  self   unsafe-inline   media-src    gt    lt  -- Allow requests to foo com -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self  foo com  gt    lt  -- Enable all requests  inline styles  and eval   -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src  self   unsafe-inline   unsafe-eval   gt    lt  -- Allow XHRs via https only -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self  https   gt    lt  -- Allow iframe to https   cordova apache org  -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self   frame-src  self  https   cordova apache org  gt

User · Answer

There is an another issue about connection  Some android versions can connect but some cannot  So there is an another solution   in AndroidManifest xml    x000D   x000D   lt application     android usesCleartextTraffic  true  gt  x000D              x000D       lt  application gt  x000D   x000D   x000D    Just add  android usesCleartextTraffic  true    and problem solved finally

User · Answer

For me the problem was that I was using obsolete versions of the cordova android and ios platforms  So upgrading to android 5 1 1 and ios 4 0 1 solved it   You can upgrade to these specific versions   cordova platforms rm android cordova platforms add android 5 1 1 cordova platforms rm ios cordova platforms add ios 4 0 1

[cordova] "No Content-Security-Policy meta tag found." error in my phonegap application

Examples related to cordova

Examples related to phonegap-plugins

Examples related to whitelist